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[57] ABSTRACT 

A method and apparatus for providing improved secu- 
rity for a personal identification number (PIN) in a 
personal identification and verification system of the 
type wherein a time dependent nonpredictable code is 
generated at a device in the possession of the individual, 
which code is unique to the individual and this code is 
communicated to. and compared with a nonpredictable 
code generated at a central verification computer. In 
this system, the PIN is mixed with the nonpredictable 
code before transmission of these values to the central 
verification computer. A nonsecret code is previously 
transmitted to the central verification computer and is 
used to retrieve the PIN and the appropriate non- 
predictable code for the user. These values are used to 
strip the PIN from the transmitted nonpredictable code 
and the stripped PIN and remaining nonpredictable 
code are compared with the corresponding retrieved 
values in order to determine verification. 
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code which is then entered into the central computer to 
METHOD AND APPARATUS FOR PERSONAL effect verification. 

IDENTIFICATION One potential difficulty with either of the systems 

indicated above is that an unauthorized individual may 
CROSS REFERENCE TO OTHER 5 be able to obtain access to the user s PIN by electronic 

APPLICATIONS eavesdropping, reducing the security provided by the 

system. If, for example, the PIN is transmitted over 
This application is a continuation in-part of applica- ^Mic lines, such as telephone lines, from the user to the 
tion Ser. No, 07/341,932 filed Apr. 21, 1989, now U.S. central verification computer, it may be possible to tap 
Pat. No. 5,023^908, which is a continuation-in-part of ,q ^^^^ ^^^^ intercept the PIN as it is being transmit- 
application Ser. No. 802,579 filed Nov. 27. 1985, issued jf jjjg pi^ is stored in the device, someone obtain- 

Dec, 5, 1989 as U.S. Pat. No. 4,885,778, which applica- device surreptitiously may, through sophisti- 

tion is itself a continuation-in-part of application Ser, ^ated means, be able to determine the PIN stored in the 
No. 676,626 filed Nov. 30, 1984. now U.S. Pat. No. device and thus defeat the security of the system. Fur- 
4,720,860, issued Jan, 19, 1988. The disclosures and 15 thermore, any storing of a PIN or password in the por- 
specifications of all of the foregoing applications/pat- table device for comparison defeats the purpose of an 
cnts are incorporated herein by reference as if fully set independent identification factor and reduces security 
forth. to a "thing" possessed. 

-^TTr^ ,^TX7T^vT^T^xT ^ ^^^d thcrefore exists for an improved means of 

FIELD OF THE INVENTION communicating a PIN or other user identification code 

This invention relates to methods and apparatus for to a central verification system such that someone tap- 
identifying an individual and more particularly to meth- ping the line over which the code is being sent will be 
ods and apparatus for providing improved security for a unable to determine the secret identification number 
personal identification number (PIN) utilized in con- and someone obtaining possession of the user device 
junction with such an identrication system. 25 wUl also not be able to obtain access to the user's secret 

identification number from the device. 
BACKGROUND OF THE INVENTION ^^^^^ ^ INVENTION 

Personal identification systems may be based on ... v. .u- • ^.^..t^^ 

something someone has. such as a card or badge, some- In accordance w.th the above. Ais ^^^^^^^^ 
thing thai someone knows, such as a PIN. or some 30 \""hod for personaHdentif.catwn and^a^^^^^ 
characteristic of the individual, such as his fingerprints the practK«: thereof wherem a device m the PO^eKion 
orspeechpattem-Securityforsuchsystemsisenhanced t"-;^^,,^^^^^^ 
by ut lizing two or more of the above m performing the varying, nonpicui^uiuic wuis, ^ 
rf " . generated at a given time is mixed with a secret PIN tor 

Identification Ayjn^m hu 35 the individual; the mixed output is communicated to a 

For example parent U S. Pat No. 4,720 860 d^^- verification computer; and the verification corn- 

closes a personal identification system wherein the indi- ^^^^ communicated 

vidual has a card or other small, portable device which ^^^^ ^^^.^^ ^^^^^^^ pj^ remaining non- 
contains a microprocessor programmed to utilize a se- j-edictable code to perform a verification operation 
cret algorithm to generate a nonpredictable number ^ Alternatively and equivalently. the mixed output which 
from a stored value unique to the individual and a tune communicated to the verification computer may be 
varying value provided for example by a clock. The verified in the verification computer without stripping 
nonpredictabic value is preferably displayed on the pj^ Preferably, before the mixed value is corn- 

device. The individual then enters his secret PIN into a municated to the verification computer, a nonsecret 
central verification system, either directly or over a identifying code for the individual is communicated to 
telephone line, causing the central system to access verification computer; the verification computer 

stored information corresponding to the individual and utilizes the nonsecret identifying code to obtain the PIN 
to utilize at least some of this information to generate a appropriate nonpredictabic code for the individual; 

nonpredictable value at the central computer utilizing verification operation includes the PIN and 

the same algorithm as at the individual's microproces- appropriate nonpredictable code obtained during the 
sor. At the same time this is being done, the individual obtaining step being compared with the stripped PIN. 
is entering the number appearing at that period of time ^nd remaining nonpredicUble code. Alternatively the 
onthedisplayofhisdevice. The two values will match, pj^ be stripped from the mixed value, the 

signifying identification of the individual, only if the verification computer may utilize the nonsecret idcnti- 
indi vidual has entered the correct PIN and if the indi- 55 fying code to retrieve or obtain the PIN and appropri- 
vidual has the proper device so that the nonpredictable ate nonpredictable code, combine the retrieved PIN 
code displayed corresponds to that being generated at and appropriate nonpredictable code, and perform a 
the central verification computer. verification operation between the mixed value commu- 

In other systems, such as those shown in U.S. Pat. nicated to the verification computer and the combina- 
No. 4.599,489 issued Jul. 8, 1986, the PIN may either be 60 tion of the retrieved PIN and appropriate nonprcdicta- 
stored in the user's device, or may be entered by the ble code. The verification computer may also generate 
user. If the PIN is stored in the device, it is read from a unique challenge value in response to the nonsecret 
the device by a suitable reader and causes the central identifying code which challenge code is communi- 
verification computer to generate a unique challenge cated to the device in possession of the individual. For 
code to the individual. This challenge code may either 63 one embodiment, the challenge code is communicated 
be entered by the individual into his machine, or may be to the individual and the individual inputs the challenge 
automatically sensed by the machine, and is operated on value and the PIN to his device, the device includes 
by the user's device to generate a unique nonpredictable means responsive to the challenge value for generating 
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the nonpredictabic code. During the mixing step, the keying his nonsecret identification number into tele- 
device may receive the PIN and the nonpredictabic phone 18 for transmission through telephone line 20, 
code and generate an output which is a predetermined telephone 22 and modem 24 to the verification corn- 
function of the inputs. The predetermined function puter. 

may. for example, be a sum of the inputs, for example 5 In response to the user input of his nonsecret code, 

the sum of the inputs without carry. the verification computer retrieves the user*s PIN and 

The foregoing and other objects, features and ad van- generates the nonpredictable code for the user, using 

tages of the invention will be apparent from the follow- the same algorithm and stored static value as user de- 

ing more particular description of preferred embodi- vice 10, and using a tune*related value from a clock 

ments of the invention as illustrated in the accompany- 10 device at the verification computer, which is main- 

ing drawings. tained in synchronism with the clock at the user device 



IN THE DRAWINGS 



in a manner discussed in the parent application (step 32). 
At the same time that the verification computer is re- 
FIG. 1 is a semi-block schematic diagram of the veri* trieving the PIN and nonpredictable code for the user, 
fication system of a first embodiment of the invention. 15 the user is inputting his PIN into his device 10 using key 
FIG. 2 is a block schematic diagram of a second pads or areas 12 (step 34). While the user is inputting his 
embodiment of the invention. pin, the user device is continuously generating non- 

FIG. 3 is a block flow diagram illustrating the opera- predictable code values at its internal processor in re- 
tion of the first embodiment of the invention and alterr sponse to the clock value and the stored static value 
native steps for the second embodiment of the inven- 20 using the unique algorithm at the user device processor 
tion. (step 36). 



DETAILED DESCRIPTION 



The next step in the operation, step 38, is for the 
generated nonpredictable code and the inputted pin to 

FIG. 1 shows illustrative structure for a personal be mixed by the processor in device 10 to generate a 

identification system of a first embodiment of the inven- 25 new nonpredictable code which is displayed on display 

tion. In this figure, a user verification device 10 is pro- 14. The mixing operation may be a simple addition of 

vided which is of the type described in the parent appli- the two values without carry, or with carry, (a constant 

cations. The device is preferably of the general size and added to a pseudo random number produces a pseudo 

shape of a standard credit card, although its thickness random number) or may involve a more sophisticated 

dimension may be slightly greater than that of such 30 mixing algorithm. 

cards. The device 10 has a clock which generates a time During step 40, the user transmits the displayed value 
dependent digital output to a microprocessor which is by use of telephone 18 through telephone line 20, tele- 
programmed with a unique algorithm to operate on the phone 22, and modem 24 to verification computer 16 
time*dependent clock input and on a stored static value During the next step in the operation, step 42, the 
unique to a given user to generate a multi bit non- 35 verification computer uses the PIN for the user which 
predictable code. A plurality of input areas 12 are pro- was retrieved during step 32 to strip the PIN from the 
vided on the face of device 10. These areas are prefera- inputted nonpredictable code, the result being a PIN 
bly each indicative of a numerical digit, for example the value and a nonpredictable code value. During step 44 
digits 1-0 as shown in FIG. 1, and may be pressure the stripped PIN is compared with the PIN retrieved 
sensitive pads or otherwise adapted to generate an elec- 40 during step 32 and during step 46 the nonpredictable 
trical output indicative of the area when the area is code remaining after the inputted value has the PIN 
touched by the user. Spacing may be provided between stripped therefrom is compared with the retrieved non- 
the individual areas 12 to assure distinctive outputs As predictable code. If matches are obtained during both 
will be described in greater detail hereinafter, the user steps 44 and 46 (step 48) the verification computer signi- 
may input his unique PIN on areas 12 which are mixed 45 fies verification. If a match is not found during either 
in the processor in device 10 with the nonpredictable step 44 or step 46 (step 50) then the user is rejected, 
code generated therein in response to the time-depend- Alternatively to steps 42, 44, 46, 48 and 50, the PIN 
ent and static inputs to generate a multi-bit nonpredicta- and nonpredictable code which are retrieved in step 32 
ble code which is displayed on area 14 of device 10. may be combined or mixed by the verification computer 
Area 14 may be a liquid crystal display or other suitable 50 during step 142 according to the same mixing operation 
display device for producing numeric or alpha-numeric which was carried out by the processor or user device 
characters. Each area of display 14 is adapted to display 10 in step 38, e.g. by a simple addition of the two values 
a different digit of the nonpredictable code. without carry, with carry, or according to some other 
The user initially transmits a nonsecret identifying more sophisticated algorithm. During alternative step 
code to verification computer 16 by keying this number 55 144 the separate results of the mixing operations carried 
into a telephone 18 at his location. This number is trans- out by the user device 10 and the verification computer 
mitted over telephone lines 20 to telephone 22 at the 16 are compared. If a match is obtained, step 148, the 
verification station and through a modem 24 at this user is verified. If a match is not found, step 150, the 
station to the verification computer. The user may then user is rejected. 

use the telephone 18 to key in and transmit the non- 60 A procedure is thus provided wherein user verifica- 

predictable code being displayed at that time on display tion may be obtained using the simple and inexpensive 

14. procedure disclosed in the parent applications while 

FIG. 3 is a flow diagram illustrating in greater detail still providing a high level of security for the user PIN. 

the operation of the system of FIG. 1 to perform a This security is achieved since the user PIN is never 

verification operation. Referring to FIG. 3, the first step 65 available on an open line which could be tapped except 

in the operation, step 30, is for the user to send his in the form of a word which is a mixture of the PIN 

nonsecret code to verification computer (VC) 16. As with a nonpredictable code and which is virtually im- 

previously indicated, this is accomplished by the user possible to decipher. 
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FIG. 2 illustrates an alternative configuration in combined coded value in performing a verification 

which the teachings of this invention may be utilized. In operation. 

FIG- 2, the user device 10 is of the same type shown in 2. Apparatus as claimed in claim 1 includmg means 

FIG. 1. However, for this embodiment of the invention, operative prior to the communicating of the value from 

the user device is adapted to be used in proximity to the 5 the mixing means for conimunicating the nonsecret 

verification station rather than from a remote location identifying code to said verification computer, 

over telephone lines. For this embodiment of the inven- 3. Apparatus as claimed in claim 2 wherein said verifi- 

tion, the verification station 60 includes a computer 62, cation computer includes means for utilizing the com- 

a display 64, such as for example a CRT display, and an municated nonsecret identifying code to retrieve the 

input device 66 which may, for example, be a standard »0 PIN and a unique challenge value for the individual; 

computer input keyboard. Referring again to FIG. 3, and 

the operation with this embodiment of the invention means for communicating the challenge value to the 

starts with step 30, during which the user sends a nonse- device. 

cret code to the verification computer 62 by, for exam- 4. Apparatus as claimed in claim 3 wherein said chal- 

ple, keying this code into input device 66. In response to lenge value communicating means includes means for 

receiving the nonsecret code, computer 60 retrieves the communicating the challenge value to the individual; 

PIN and generates the nonpredictablc code for the user and . . u 

(step 32) and also retrieves a challenge code for the user wherein the device includes means for permitting the 

which is displayed on display 64 (step 70). The user individual to input the challenge value and his PIN 

inputs his PIN and the challenge code in an order estab- to the device. 

lished for the system to user device 10 using input pads 5, Apparatus as claimed in claim 4 wherein said de- 

12 (step 72). During step 74, the processor in device 10 vice includes means responsive to the challenge value 

uses the inputted challenge code and the time inputted for generating the nonpredictablc code; and 

from its clock to generate a nonpredictablc code which, wherein said mixing means includes means, included 

during step 38, is mixed with the inputted pin and the ^ as part of the device, for receiving the mputted 

results are displayed on display 14 of device 10. From PIN and the generated nonpredictablc value and 

this point on, the operation for this embodiment of the for generating aji output which is a predetermined 

invention is the same as that previously described with function of the input. 

respect to the embodiment of FIG. 1, 6. Apparatus as claimed in claim 5 wherein said mix- 
Thus, with this embodiment of the invention, as with ing means adds the PIN to the nonpredictablc code, 
the prior embodiment of the invention, the pin in un- 7. Apparatus as claimed in claim 1 wherein said de- 
coded form is never transmitted in a manner such that it vice includes means for permitting the individual to 
could be observed and is not resident in the user's de- input his PIN to the device; and 
vice where it might, using sophisticated technology, be 35 wherein said means for mixing is included as part of 
retrieved, said device and is adapted to receive the PIN input- 
As an alternative to the embodiment shown in FIG. ted by the individual and the nonpredictablc code 
2, the nonsecret code may be recorded in machine read- and to generate an output which is a predetermined 
able form on device 10 and input device 66 might in- function of the input. 

elude a card reader which tfie card is inserted into to 40 8. Apparatus as claimed in claim 7 wherein said mix- 
permit the nonsecret code to be read into computer 62. ing means adds the PIN to the nonpredictablc code. 

While the invention has been shown and described 9, Apparatus as claimed in claim 1 wherein said verifi- 
above with reference to preferred embodiments, the cation computer includes, a means for mixing the re- 
foregoing and other changes in form and detail may be tricvcd PIN and appropriate nonpredictablc code gen- 
made therein by one skilled in the art without departing 45 crated by the verification computer at a given tmic 
from the spirit and scope of the invention, - according to the predetermined algorithm to generate a 

What is claimed is: second combined coded value. 

1. In a personal identification system of the type 10. Apparatus as claimed in claim 9 wherein the yeri- 

whcrcin a user is provided with a device generating a fication operation comprises comparing the combined 

unique, time varying, nonpredictablc code, with a 50 coded value with the second combined coded value, 

nonsecret identifying code and with a secret PIN, the 11. A method for identifying an individual compris- 

nonpredictable code at a given instant and the PIN ing the steps of: 

being provided to a central verification computer to utilizing a device in the possession of the individual to 

effect verification; apparatus for providing improved generate a unique time varying, nonpredictablc 

security for the PIN comprising: 55 code; 

means for mixing the nonpredictablc code generated mixing the nonpredictablc code generated at a given 

by the device at a given time with the PIN accord- time with a secret PIN for the individual to gener- 

ing to a predetermined algorithm to generate a ate a combined code; and 

combined coded value; communicating a nonsecret identifying code for the 

means for separately communicating the nonsecret 60 mdividual and the combined code to a central vcri- 

identifying code and the combined coded value to fication computer; 

the central verification computer; and the verification computer utilizing the nonsecret 
wherein the central verification computer includes identifying code to retrieve the PIN and generate 
means for utilizing the nonsecret identifying code an appropriate, unique, time-varying nonpredicta- 
to retrieve the PIN and generate an appropriate, 65 ble code for the individual, and utilizing the re- 
unique, time varying nonpredictablc code for the trieved PIN. appropriate nonpredictablc code, and 
individual, and means for utilizing the retrieved the combined code to perform a vcnfication opcra- 
PIN, appropriate nonpredictablc code and the tion. 
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12. A method as claimed in claim 11 wherein the 
verification computer also generates a unique challenge 
value in response to the nonsecret identifying code; and 

including the step of communicating the challenge 5 
value to the device in possession of the individual. 

13. A method as claimed in claim 12 wherein the 
challenge value is communicated to the individual; and 

including the step of the individual inputting the chal 
lenge value and his PIN to the device. 

14. A method as claimed in claim 13 wherein the 
device includes means responsive to the challenge value 
for generating the nonpredictable code; and 

wherein the mixing step includes the device receiving 
the PIN and the nonpredictable code and generat- 
ing an output which is a predetermined function of 
the inputs. 

20 



15. A method as claimed in claim 14 wherein said 
predetermined function is a sum of said inputs. 

16. A method as claimed in claim 14 including the 
step of the individual inputting his PIN to the device; 
and 

wherein the mixing step includes the device receiving 
the PIN inputted by the individual and the. non- 
predictable code and generating an output which is 
a predetermined function of the inputs. 

IT A method as claimed in claim 16 wherein said 
predetermined function is a sum of said input. 

18. A method as claimed in claim 11 wherein the 
verification computer utilizes the retrieved PIN and 
appropriate nonpredictable code by combining them to 
obtain a second combined code. 

19. A method as claimed in claim 18 wherein the 
verification operation comprises comparing the com- 
bined code and the second combined code. 
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